Identity Theft From Tossed Airline Boarding Pass?

crush writes "The Guardian newspaper has a great story about how the gathering of information for 'anti-terrorist' passenger screening databases allowed a reporter and security guru Adam Laurie to lay the groundwork for stealing the identity of a business traveller by using his discarded boarding-pass stub." From the article: "We logged on to the BA website, bought a ticket in Broer's name and then, using the frequent flyer number on his boarding pass stub, without typing in a password, were given full access to all his personal details - including his passport number, the date it expired, his nationality (he is Dutch, living in the UK) and his date of birth. The system even allowed us to change the information."

BA could be liable for damages...

[The Dodger]

..under the UK's Data Protection Act. See http://www.dataprotection.gov.uk/ [dataprotection.gov.uk] for details...

No piece of paper is safe

[Billosaur]

From the artice: Using this information and surfing publicly available databases, we were able - within 15 minutes - to find out where Broer lived, who lived there with him, where he worked, which universities he had attended and even how much his house was worth when he bought it two years ago. (This was particularly easy given his unusual name, but it would have been possible even if his name had been John Smith. We now had his date of birth and passport number, so we would have known exactly which John Smith.)

Laurie was anything but smug.

"This is terrible," he said. "It just shows what happens when governments begin demanding more and more of our personal information and then entrust it to companies simply not geared up for collecting or securing it as it gets shared around more and more people. It doesn't enhance our security; it undermines it.

Anything that has even one piece of critical information on it (name, address, account numer of any sort, etc.) is vulnerable. That's why my shredder works overtime. I don't throw boarding passes away; I have quite a collection of them from my trips to Europe and the ones I don't want get consigned to the shredder. You can't take for granted that once you toss away a piece of paper, it will be on its way to the landfill soon enough. Trash may sit unattended for hours, even at a busy airport, and is a ripe picking ground. Mind you, I think airport security might look at you funny if you were poking around in all the trash cans, but you never know.

Passport Required!!!!

[hughk]

I am curious as to how the person got so far through the BA website without a password or PIN. Last time I looked, you needed this. Perhaps Mr Broer hadn't registered one. Otherwise did they compromise BA's website?

The important thing is that you will not be allowed on an international flight without showing a valid passport. BA boarding procedures mandate a check of the passport against the ticket at the gate. This is kind of necessary now that outbound passengers from the UK are very rarely checked by immigration. True, an airline is unlikely to even have a UV light let alone a scanner there so it may be possible to get through with a forged passport.

Real ID act

[guisar]

Yesterday I was stopped by a cop in the Concord, MA national park because the muffler on my old vw bus was a bit loud. I handed him my Vermont driver's license, which is a bit of paper with no SSN, only a coded address and no photo. His response- "What's this". "My driver's license" I replied. "Well how do they hope to stop terrorists with this?"

Being an opponent of the current craze for every more comprehensive and intrusive IDs and ID checks here in the US, I hope some proponents of the Real ID act will pay heed to unintended consequences of this absurdity.

Re:Halal == potential terrorist?

[AgentPaper]

To add insult to injury, if your name even remotely resembles the name of a known or suspected "evildoer," you get flagged. My entire family now suffers an extra 45 minutes of screening at the airport, every single time we fly, because my dad's name matches that of some IRA gunman who was last active in the early 80's. (Before you go thinking this might be a valid concern, consider that we're talking about an extremely common name. "John Murphy" isn't exactly "Zaccarias Moussaoui.") And of course, all this color-coded rigmarole does not make us one bit safer, just more vulnerable to the constant fear-mongering coming out of Washington.

Re:Boycott

[mgblst]

I flew from Sydney to Vancouver, and the plane happened to stop in Honolulu for refueling. Since Honolulu is in the US, every single person had to get off the plane, have their picture taken, and be finger printed. Then we all got back on, and flew the rest of the way to Canada. It took 2 hours, for nothing. Nobody was staying in Honolulu, we only wanted some fuel. Thanks US.

And surprisingly, they didn't catch any terrorists that day, either.

Security scans

[RafaelGCPP]

On 2004 I travelled a lot to USA.

This don't seem to be much, but I was "selected" for manual scanning of my handbag in almost every USA airport.

Common sense and good diplomatics told me to accept that and never question authorities when you are a foreign citizen, but on the last scan, at MIA airport, though I created the guts to ask the nice TSA security agent why I was being scanned over and over. The answer shocked me: "It is all that electronics you carry. Makes very difficult to see what you have". I always carried my cellphone, myPDA, my digital camera and my CD player with me, on the same bag, and it really looked a mess.

The funny thing: I felt safer, because they were really looking at the x-ray. The only time I got stopped by airport security where I live, was because I told the guys my cellphone never made those portals beep... THAT DAY, it beeped!!!

That story scares me.

[Don_dumb]

I have to admit I am shocked, I didin't think they had any right to do so.

I thought that runways were a kind-of international territory? Thereby allowing people to get transferring flights without going through passport control (which acts as the the offical border) and be a passenger on a plane that refuels without getting visas for the land in which they are only sitting on a runway. Does the US government really have the right to do this? I mean they couldn't stop a plane flying from Canada to Mexico because the people inside dont have entry visas for the US or havent taken US mandated security procedures, could they?

Re:Real ID act

[CortoMaltese]

A friend told me she'd tried to buy some beer at a liquor store, and when asked for an ID, she'd used her passport. "Don't you have a driver's license?" the person behind the counter had asked, "Anyone can get a passport." So I guess the driver's license is the "real" ID in the US...

Shredders arn't that great

[hey]

If I was looking for sensitive info on a street on garbage day I'd look for the shredded stuff. Also, of course, you can put it back together.

Re:Halal == potential terrorist?

[rograndom]

To add insult to injury, if your name even remotely resembles the name of a known or suspected "evildoer," you get flagged. My entire family now suffers an extra 45 minutes of screening at the airport, every single time we fly, because my dad's name matches that of some IRA gunman who was last active in the early 80's. (Before you go thinking this might be a valid concern, consider that we're talking about an extremely common name. "John Murphy" isn't exactly "Zaccarias Moussaoui.") And of course, all this color-coded rigmarole does not make us one bit safer, just more vulnerable to the constant fear-mongering coming out of Washington.

Try having your father include his middle initial and/or name when ordering plane tickets next time. I used to have the same problem, it because a running joke between myself and my girlfriend, who has a foreign issued passport from an "axis of evil" country which doesn't match her green card due to marriage, yet she goes through with out a second glance while I get my shoes taken away for closer inspection and patted down three times on my way to the gate. Finally, after being told that I had to leave the airport and comeback in through security after I missed a connection due to flight delays I asked about how to get my damn name off the list. The ticket lady said that it probably wouldn't happen since I had a very common name, but if I started using my middle initial that wouldn't raise any flags. And sure enough, it works. I just breeze through security now. Of course the last trip I took they raised the terror alert level after I was in the air and there was more security when we landed, obviously because I was able to slip by security, so homeland security provided more amusement to my girlfriend.

Re:Boycott

[azhrei_fje]

They know these security programs do nothing more than waste money on pork and make certain politicians feel smug, earning brownie points with their constituents.

This is right on.

The next time you visit an airport, ask yourself what would happen if a terrorist didn't wait until they got all the way to the metal detectors and X-ray machines before detonating an explosive device. As a business traveler, I've logged a million miles on one airline and hundreds of thousands on other airlines. Any idiot who wanted to wreak havoc could tell that the place to detonate such a device would be while standing in front of the security machines: you'd take out a bunch of people and render that section of the airport unusable.

So what do you do to fix it? Obvious: move the screening center further up. (And before you hit Reply, I know that wouldn't work. I'm j/k.)

I'm not posting as an AC. Maybe that's risky -- we all know that the U.S. government snoops on its citizens -- and I really can't afford to defend myself against the likes of Gonzales. But I can trust in my country's Constitution and hope that those in power won't abuse it. (That's naive. But maybe with enough press coverage I wouldn't get shafted too bad.) But without open discussion that provokes thoughtful responses, how will anything get any better?

Re:Halal == potential terrorist?

[DavidTC]

I challenge this Administration to a contest. Random fake guns, made of the same material as real guns but without any insides, and painted bright orange, will be sold in stores. As will fake knifes, colored the same.

Anyone can buy them, and the government is not allowed to track who does.

Now, we have a contest. At any point in any flight, these items can be handed over to the airplane staff, or dropped in one-way boxes in the bathrooms.

To make it somewhat realistic, penalty-wise, anyone caught smuggling one on the plane before the plane takes off will miss the flight, and have to spend a day in a holding cell at the airport. It won't be 'illegal', and it won't go on their record at all. It's like being dead in paintball. We got you, terrorist!

All collected guns and knifes are counted, and the weekly collection numbers must be reported.

We'll see how good airline security is then.

Re:Boycott

[smooth wombat]

I'm so glad you said the same thing I've been saying for a long time re: someone wanting to do harm not waiting to get on the plane. The line of people waiting to get screened is just as viable a target as an entire plane.

Want to really cause panic in the air traffic system and probably get it shut down? Get you and four of your friends to do the same thing at five different airports at the same time on the same day. Say 12 noon eastern time the day before Thansksgiving.

If anyone from any three letter agency is going through an apoplectic fit because I just said this, get a clue. If this isn't in your contingency plans then what the hell are you doing with my money?

But the wiping / gas chromatograph thing does...?

[igb]

I got my laptop bag wiped down at SFO a few years ago, and the little tissue popped into the machine to test for explosives. Either it's incredibly selective, or it's bullshit. My bag had been under the counter at the late lamented National Shooting Club on Duane while I shot ~200 rounds of 9mm and a box of .38 S&W. It had had spent cartridges falling on it. I'd been handling both live and spent ammunition. When I arrived at the airport I stank of firing ranges.

And yet the little wipe said all was well. Either it's sufficiently selective to spot the difference between propellant and explosives. Or it's nonsense.

ian

Re:Boycott

[Bill Kilgore]

I fully expect that will be the next "terrorist" attack. Coordinated bombings of TSA checkpoints. It's a hilarious concept, until someone actually does it.

As others here have implied, TSA is for show. So the masses of sheeple "feel safe". It also provides the government with a great tool to build up the citizenry's tolerance for unconstitional searches, seizures, and assorted other indignities.

Re:Dumbest thing I've ever read

[terjeber]

But the information wouldn't be there in the first place if it wasn't for the US.

Rubbish! You are clearly not reading what the article states. The US doesn't require that BA stores the passport number on the Frequent Flyer site. In fact, the US doesn't require that BA stores the information anywhere as long as they ship it to the US before you board the plane, in other words, they could have you supply the information when you buy the ticket, ship it accross, and promptly remove it.

The only reason BA had the passport number on their Frequent Flyer site is so that they could make it convenient for the traveller. The US doesn't require this, and if you ask anyone in the US government, they would probably strongly recommend against it. Having your identification number accessible through a website, in any manner, is a huge security issue.

This is BA messing up, not thinking about what they should and should not store on their Frequent Flyer website, and completely making an arse out of them selves by allowing access to this information with no password.

This problem is not related to the US government at all, in any way, except inside the head of a lobotomized journalist.